Lesson Learned from the Bybit Hack

By Dr. Ir. Charles Lim, Msc., Bsc., CSAP, Security+, CySA+, CND, CCSE, CTIA, CHFI, EDRP, ECSA, ECSP, ECIH, CEH, CEI

Deputy Head of Master IT Program
Head of Cybersecurity Research Centre of Excellence
Head of Security Operations Center
Swiss German University

On February 21, 2025, the cryptocurrency exchange Bybit suffered what is being called the largest digital heist in history—with over $1.5 billion in Ethereum-based assets stolen during a routine transfer from a cold wallet. This incident not only rattled the crypto market but also underscored critical lessons for cybersecurity professionals and organizations alike.

Hack Profile: What Happened at Bybit

Bybit, a Dubai-based cryptocurrency exchange with millions of users, experienced a breach in which hackers exploited its Ethereum cold wallet during a standard fund transfer. According to The Guardian, the attackers managed to manipulate the transaction process to siphon off approximately 401,000 ETH to unknown addresses [1]. Blockchain forensic experts quickly attributed the breach to tactics linked to North Korea’s Lazarus Group—a notorious hacker collective with a history of high-profile crypto thefts.

The breach was particularly alarming because it occurred not by exploiting a technical flaw in Bybit’s secure infrastructure but through sophisticated social engineering. Hackers used phishing techniques to compromise cold wallet signers and tricked them into authorizing malicious transactions. This manipulation even extended to altering the smart contract logic within the multisignature (multisig) wallet—a method typically regarded as one of the safest ways to store crypto assets [3].

Tactics and Exploit Methodology

The Bybit hack highlights several sophisticated attack vectors:

• Phishing and Social Engineering: The attackers targeted key personnel, using deceptive communications to manipulate wallet signers into approving transactions that appeared legitimate [4].
• Multisig Wallet Manipulation: Although multisig wallets are designed to add layers of security by requiring multiple approvals, the breach showed that if even one signer is compromised, the entire system is at risk. The hackers managed to replace the normal multisig contract with a malicious version, effectively bypassing this safeguard [5].
• Obfuscation of the Transaction Trail: Once the funds were withdrawn, the stolen assets were quickly dispersed across multiple intermediary addresses. This layering technique is a well-known tactic to hinder blockchain tracing and recovery efforts.

Lessons Learned

The Bybit incident offers several key takeaways for enhancing cybersecurity practices:

1. Human Element Remains the Weakest Link:
   Despite robust technological defenses, attackers often exploit human vulnerabilities. Social engineering was the critical factor in this hack, reminding us that employee training and awareness are as important as technical security measures.
2. Limitations of Multisig Wallets:
   While multisig wallets provide an extra layer of security, they are not infallible. If a single signer is deceived, attackers can manipulate the system. This incident demonstrates that even advanced security protocols must be complemented by additional layers of verification and real-time monitoring.
3. Need for Comprehensive Incident Response:
   Bybit’s swift public disclosure and its promise to cover losses 1:1 were vital in maintaining customer trust. A well-practiced incident response plan, combined with transparent communication, can help mitigate the fallout from such breaches.
4. Importance of Continuous Security Audits and Monitoring:
   Regular audits of smart contracts, authentication systems, and transaction processes are essential. Advanced analytics and blockchain monitoring tools can help detect anomalies early, allowing organizations to react before significant losses occur.
5. Collaboration is Key:
   The integration of blockchain forensic expertise was crucial in tracing the stolen assets. Collaborative efforts between exchanges, cybersecurity firms, and law enforcement agencies are necessary to counter advanced persistent threats like those posed by state-sponsored actors.

Recommendations for Organizations

Based on the Bybit hack, here are some recommendations to bolster cybersecurity defenses:

• Implement Layered Security Measures:
  Use multi-factor authentication (MFA), secure endpoint protection, and network segmentation to minimize the risk of credential compromise.
• Enhance Employee Training:
  Regularly educate staff on phishing, social engineering, and secure practices. Simulated phishing exercises can help employees recognize and avoid suspicious communications.
• Adopt Real-Time Monitoring:
  Deploy advanced monitoring tools to detect and respond to anomalies quickly. Automated systems can flag unusual transaction patterns and trigger immediate reviews.
• Reinforce Multisig Protocols:
  Consider additional safeguards for multisig wallets, such as air-gapped signing devices or independent cross-verification channels, to ensure that even if one component is compromised, the overall system remains secure.
• Foster Industry Collaboration:
  Engage with cybersecurity communities, share threat intelligence, and work with blockchain forensics experts. The collective effort can improve the overall security posture of the crypto industry.

Conclusion

The Bybit hack serves as a stark reminder that cybersecurity is not just about advanced technologies—it’s also about the people who use them. As attackers become more sophisticated, relying solely on technical defenses is no longer sufficient. Organizations must adopt a holistic approach that includes robust training, continuous monitoring, and collaborative threat intelligence sharing. By learning from the Bybit incident, both crypto platforms and traditional enterprises can better protect themselves against evolving cyber threats.

References

[1] The Guardian, “Crypto exchange seeks Bybit Ethereum stolen digital wallet,” Feb. 23, 2025. [Online]. Available: https://www.theguardian.com/technology/2025/feb/23/crypto-exchange-seeks-bybit-ethereum-stolen-digital-wallet

[2] Reuters, “Bitcoin drops below $90,000 as global jitters combine with Bybit hack,” Feb. 25, 2025. [Online]. Available: https://www.reuters.com/markets/currencies/bitcoin-drops-below-90000-first-time-month-ether-tumbles-2025-02-25/

[3] Business Insider, “What we know about the $1.5 billion Bybit crypto hack,” Feb. 23, 2025. [Online]. Available: https://www.businessinsider.com/what-we-know-bybit-crypto-ethereum-hack-2025-2

[4] Cointelegraph, “Bybit exchange hacked, over $1.4 billion in ETH-related tokens drained,” Feb. 21, 2025. [Online]. Available: https://www.cointelegraph.com/news/bybit-exchange-hacked

[5] Check Point Research, “What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection,” Feb. 23, 2025. [Online]. Available: https://blog.checkpoint.com/security/what-the-bybit-hack-means-for-crypto-security-and-the-future-of-multisig-protection

SGU Cybersecurity Research Centre of Excellence

The Swiss German University (SGU) Cybersecurity Research Centre of Excellence is dedicated to advancing cutting-edge cybersecurity research, developing innovative security solutions, and fostering industry collaboration. Our centre provides expertise in cyber threat intelligence, risk management, and secure system development, equipping businesses and organizations with the tools to combat emerging cyber threats. We offer customized cybersecurity training, consulting services, and applied research projects, ensuring that our partners stay ahead of evolving digital risks. By working with SGU, you gain access to top-tier cybersecurity experts, state-of-the-art research, and real-world security solutions tailored to your organization’s needs. Let’s collaborate to strengthen your cybersecurity posture and drive innovation in digital security.

SWISS GERMAN UNIVERSITY (SGU) is an international university in Indonesia, was established in 2000 as a joint effort between Indonesia, Germany, Switzerland, and Austria. We are the pioneer in offering international curricula in Indonesia. Qualified students can graduate with a Double Degree from Indonesia and Germany, which SGU provides in cooperation with partner universities; surely a valuable tool for your future careers. Ever since its establishment, SGU has been dedicated to delivering quality education in line with international standards and aims to develop skilled professionals who meet the demands of the industry. In order to achieve its objectives, SGU offers quality-oriented learning through 17 Bachelor’s Degree Programs and 6 Master’s Degree Programs ranging from Engineering, Information Technology, and Business to Life Sciences and Social Sciences. Furthermore, with small class sizes, and with English as the medium of instruction, you can look forward to pursuing your tertiary education and degree with full confidence.